However, TLS, the technology that helps to secure HTTP connections, can and should be used to protect all Internet communications—not just the HTTP protocol used to fetch webpages. Though HTTP/S makes up the majority of Internet traffic, there are other network protocols out there that are extremely important to secure. The Internet’s address book, file-sharing between computers, and email don’t use HTTP; they use other communication protocols which are also insecure by default and can benefit from TLS as well, to varying degrees of success.

But we’ve decided to expand our mission—from Encrypting the Web to Encrypting the Internet. And we’re tackling SMTP, the protocol that servers used to send email, next! With the most recent release of Certbot v0.29.1, we’ve added some features which make it much easier to use with both Sendmail and Exim. In this guide, we’ll explain how to use Certbot and Let’s Encrypt if you’re trying to secure a mailserver (or actually, anything that isn’t a webserver).

Brief background: How does Certbot work?

Let’s Encrypt is a Certificate Authority, which issues certificates, and Certbot is a piece of software you run on your server that requests them for you. Certbot makes these requests to Let’s Encrypt’s servers using a standardized protocol called ACME.

As part of the ACME protocol, Let’s Encrypt will issue a “challenge” to your server, asking it to prove control over the domain you’re trying to get a certificate for. The most common way to do this requires your server to use port 80 to serve a file with a particular set of contents.

Obtaining and renewing your TLS Certificate

Since the most common ACME challenge that Certbot performs is over port 80, the complexity in Certbot’s most popular webserver plugins (namely, Apache and Nginx) are so that website owners can obtain and renew certificates while still serving content from the same port 80 without experiencing downtime.

If you’re running a mailserver, you might not have a complex service competing for port 80 on your machine, so you don’t need all these bells and whistles. If you do have a webserver running on port 80, you can also supply a webroot directory for Certbot to use. Either way, Certbot is still easy to use!

Choose “None of the above” in the software selector. In the system selector, choose the closest match to the operating system where you’re running the mailserver.

Then, you’ll want to follow the instructions for running Certbot with the --standalone flag with your mailserver's hostname as the domain flag.

sudo certbot certonly --standalone -d <mail.example.com>

[If you are running a webserver on the same machine, you’ll need to use our webroot plugin instead of the `standalone` flag!]

Make sure to also follow through the Automating renewal section, and set up a regular cronjob, systemd timer, or equivalent on your system to run certbot renew regularly.

A note about port 80

If you've got a firewall blocking port 80 on your machine, you'll have to punch a port-80-shaped hole for the duration of Certbot's challenge. You can do this by adding the following to /etc/letsencrypt/cli.ini:

Installing the certificate

Where <HOSTNAME> is the hostname for your mailserver; for instance, mail.example.com.

Point your mailserver configuration files at these filepaths. You should be able to read up on your particular mailserver’s guide for setting up TLS; we’ve included some examples for popular email software below.

If you have trouble at this step, or your documentation isn’t clear, ask for help! Some folks at the Let’s Encrypt Community Forums may be able to help you install your shiny new certificate.

Congratulations! That’s it. You now have your very own certificate.

Guides for particular mailservers

The most recent release of Certbot (v0.29.1) provides some features that make it easier to use with some mailserver software, including Exim and Sendmail. In particular, you can set the group owner and group mode on the private key, which should be preserved on each renewal.

As of Certbot 0.29.1, the permissions should be set properly on your private key. If your Certbot version is earlier than this, you’ll have to put chmod 600 /etc/letsencrypt/live/<HOSTNAME>/privkey.pem in a hook.

Then re-compile your configs and restart sendmail:

make -C /etc/mail install && make -C /etc/mail restart

Exim (Certbot 0.29.1+)

Exim usually doesn’t run under root, but under a different user group. Set the permissions of the cert directory and key material, as well as the appropriate places in the `archive` directory.

As of Certbot 0.29.1, the permissions you set on your private key material should be preserved between renewals. If your Certbot version is earlier than this, you’ll have to put the above in a hook or your renewal cronjob.

A note about older versions of Certbot

Both Sendmail and Exim have permissions requirements for the private key file that you give them. Versions of Certbot older than 0.29 may not preserve your keys’ permissions settings, so you’ll have to perform the permissioning adjustments mentioned above in a post hook or in your renewal cronjob.

Related Updates

Thanks to the success of projects like Let’s Encrypt and recent UX changes in the browsers, most page-loads are now encrypted with TLS. But DNS, the system that looks up a site’s IP address when you type the site’s name into your browser, remains unprotected by encryption. Because...

EFF, ACLU, and Stanford cybersecurity scholar Riana Pfefferkorn filed a petition in November 2018 asking a California federal court to make public a ruling that apparently denied a request by the Justice Department to force Facebook to break the encryption of its Messenger application in order to facilitate...

EFF is back this year at Vegas Security Week, sometimes affectionately known as Hacker Summer Camp. Stop by our booths at BSides, Black Hat, and DEF CON to find out about the latest developments in protecting digital freedom, sign up for our action alerts and mailing list, and...

Last week, news broke of a large financial settlement for the massive 2017 Equifax data breach affecting 147 million Americans. While the direct compensation to those harmed and the fines paid are important, it’s equally important to evaluate how much this result is likely to create strong incentives to...

Certbot has a brand new website! Today we’ve launched a major update that will help Certbot’s users get started even more quickly and easily. Certbot is a free, open source software tool for enabling HTTPS on manually-administered websites, by automatically deploying Let’s Encrypt certificates. Since we introduced it in...

San Francisco—The Electronic Frontier Foundation, ACLU and Stanford cybersecurity scholar Riana Pfefferkorn asked a federal appeals court today to make public a ruling that reportedly forbade the Justice Department from forcing Facebook to break the encryption of a communications service for users.Media widely reported last fall that a...

This week the federal Government Accountability Office (GAO) issued an update to its 2016 report on the FBI’s use of face recognition. The takeaway, which they also shared during a Congressional House Oversight Committee hearing: the FBI now has access to 641 million photos—including driver’s license and...

Fresno – On Wednesday, May 22, at 9 am, the Electronic Frontier Foundation (EFF) will argue that criminal defendants have a right to review and evaluate the source code of forensic DNA analysis software programs used to create evidence against them. The case, California v. Johnson, is on appeal...